Basic LAN-to-LAN Configuration Between ASAs

From Internetworkpro

Jump to: navigation, search


[edit] Overview

This is just a plain, basic, vanilla IPSec Lan to Lan configuration using two ASA5505s.

[edit] Diagram

Image:basic-lan-2-lan.png

[edit] Configuration

ASA1 Configuration 
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 100.100.100.100 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
!
access-list ACL-VPN extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0 
access-list ACL-NONAT extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list ACL-NONAT
nat (inside) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 100.100.100.1 1
!
crypto ipsec transform-set TSET esp-aes-256 esp-sha-hmac
! 
crypto map CMAP 1 match address ACL-VPN
crypto map CMAP 1 set peer 200.200.200.200 
crypto map CMAP 1 set transform-set TSET
crypto map CMAP interface outside
!
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
 pre-shared-key <KEY>


ASA2 Configuration 
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.20.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 200.200.200.200 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
!
access-list ACL-VPN extended permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0  
access-list ACL-NONAT extended permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list ACL-NONAT
nat (inside) 1 10.20.20.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
!
crypto ipsec transform-set TSET esp-aes-256 esp-sha-hmac
! 
crypto map CMAP 1 match address ACL-VPN
crypto map CMAP 1 set peer 100.100.100.100 
crypto map CMAP 1 set transform-set TSET
crypto map CMAP interface outside
!
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 100.100.100.100 type ipsec-l2l
tunnel-group 100.100.100.100 ipsec-attributes
 pre-shared-key <KEY>

--IPv6Freely 15:02, 10 September 2008 (CDT)

Retrieved from "http://inetpro.org/wiki/Basic_LAN-to-LAN_Configuration_Between_ASAs"
Personal tools